From mboxrd@z Thu Jan 1 00:00:00 1970 From: Juergen Gross Subject: Re: null domains after xl destroy Date: Wed, 3 May 2017 17:53:42 +0200 Message-ID: <062155e9-9535-9baa-e47d-24fd6196b032@suse.com> References: <78571a7b-62ec-b046-02e3-3d6739b779a6@rimuhosting.com> <95efee87-6925-5376-e347-55e438c90212@suse.com> <70eae378-2392-bd82-670a-5dafff58c259@rimuhosting.com> <3385656.IoOB642KYU@amur> <6e150a33-576b-5cf8-7abc-2cba584602ff@citrix.com> <05cd7b43-153a-8b51-8fd9-e8ae4a8b5287@rimuhosting.com> <06829f8f-def6-4822-c18a-877d8633556c@suse.com> <034c9f96-1bfe-6793-68a7-9b070676971a@suse.com> <20170419071624.6enfeemielfqhqw2@dhcp-3-128.uk.xensource.com> <0b981374-700b-f26a-9504-583bad046f7d@suse.com> <4da36c5e-0712-376c-423e-97988796c393@rimuhosting.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------94DAA981E834AA8692DE4D5B" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" To: Steven Haigh , glenn@rimuhosting.com Cc: Andrew Cooper , =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= , Dietmar Hahn , xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org This is a multi-part message in MIME format. --------------94DAA981E834AA8692DE4D5B Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 03/05/17 12:45, Steven Haigh wrote: > Just wanted to give this a little nudge now people seem to be back on > deck... Glenn, could you please give the attached patch a try? It should be applied on top of the other correction, the old debug patch should not be applied. I have added some debug output to make sure we see what is happening. Juergen --------------94DAA981E834AA8692DE4D5B Content-Type: text/x-patch; name="blk.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="blk.patch" commit 246aaf60bd934b7571944b98a31078d519d637c6 Author: Juergen Gross Date: Wed May 3 15:57:18 2017 +0200 xen/blkback: don't free be structure too early The be structure must nor be freed when freeing the blkif structure isn't done. Otherwise a use-after-free of be when unmapping the ring used for communicating with the frontend will occur in case of a late call of xenblk_disconnect() (e.g. due to an I/O still active when trying to disconnect). diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c index 411d2ded2456..0614fb294e2b 100644 --- a/drivers/block/xen-blkback/xenbus.c +++ b/drivers/block/xen-blkback/xenbus.c @@ -33,6 +33,7 @@ struct backend_info { unsigned major; unsigned minor; char *mode; + int delayed; }; static struct kmem_cache *xen_blkif_cachep; @@ -262,8 +263,11 @@ static int xen_blkif_disconnect(struct xen_blkif *blkif) * don't have any discard_io or other_io requests. So, checking * for inflight IO is enough. */ - if (atomic_read(&ring->inflight) > 0) + if (atomic_read(&ring->inflight) > 0) { + pr_warn("xen_blkif_disconnect: busy\n"); + blkif->be->delayed = 1; return -EBUSY; + } if (ring->irq) { unbind_from_irqhandler(ring->irq, ring); @@ -315,9 +319,11 @@ static int xen_blkif_disconnect(struct xen_blkif *blkif) static void xen_blkif_free(struct xen_blkif *blkif) { - - xen_blkif_disconnect(blkif); + pr_warn("xen_blkif_free: delayed = %d\n", blkif->be->delayed); + WARN_ON(xen_blkif_disconnect(blkif)); xen_vbd_free(&blkif->vbd); + kfree(blkif->be->mode); + kfree(blkif->be); /* Make sure everything is drained before shutting down */ kmem_cache_free(xen_blkif_cachep, blkif); @@ -512,8 +518,7 @@ static int xen_blkbk_remove(struct xenbus_device *dev) /* Put the reference we set in xen_blkif_alloc(). */ xen_blkif_put(be->blkif); - kfree(be->mode); - kfree(be); + return 0; } --------------94DAA981E834AA8692DE4D5B Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3RzLnhlbi5v cmcveGVuLWRldmVsCg== --------------94DAA981E834AA8692DE4D5B--